CVE-2026-4286
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost fails to validate team_id changes when updating playbooks, allowing users with Manage Playbook Configurations to bypass team membership restrictions.
Vulnerability
Mattermost versions 11.5.x <= 11.5.1 and 10.11.x <= 10.11.13 do not verify whether the team_id parameter is being changed when a user updates a playbook via the PUT API. This allows a user who holds the Manage Playbook Configurations permission to move a playbook to a different team, bypassing the intended team membership restriction. The advisory reference is MMSA-2025-00552 [1].
Exploitation
An attacker needs only the Manage Playbook Configurations permission on the source playbook. No special network position is required beyond normal API access. The attacker sends a PUT request to the playbook endpoint, modifying the team_id field to target a different team ID. The server accepts the change without checking whether the attacker is a member of the destination team or has appropriate rights there [1].
Impact
By successfully moving a playbook to another team, the attacker can cause the playbook to be visible and potentially executable by members of the new team, which may include unauthorized users. This violates the team-based access control policy, potentially leading to unintended disclosure of playbook configurations and workflows. The CVSS score is 3.1 (Low) due to the requirement for an existing permission and the limited scope of the bypass [1].
Mitigation
Mattermost has released security updates. Users should upgrade to Mattermost versions 11.5.2 or later, or 10.11.14 or later, to remediate the issue. No workaround is documented in the available references. The advisory identifier is MMSA-2025-00552 [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=11.5.1, <=10.11.13
Patches
161edcdbfcc80[MM-67626] Update Playbooks plugin to v2.8.0 (#35549) (#35588)
1 file changed · +2 −2
server/Makefile+2 −2 modified@@ -158,7 +158,7 @@ PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.4 PLUGIN_PACKAGES += mattermost-plugin-github-v2.6.0 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.12.0 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.5.1 -PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.7.0 +PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.8.0 PLUGIN_PACKAGES += mattermost-plugin-servicenow-v2.4.0 PLUGIN_PACKAGES += mattermost-plugin-zoom-v1.12.0 PLUGIN_PACKAGES += mattermost-plugin-agents-v1.7.2 @@ -174,7 +174,7 @@ PLUGIN_PACKAGES += mattermost-plugin-channel-export-v1.3.0 # download the package from to work. This will no longer be needed when we unify # the way we pre-package FIPS and non-FIPS plugins. ifeq ($(FIPS_ENABLED),true) - PLUGIN_PACKAGES = mattermost-plugin-playbooks-v2.7.0%2B1031c5e-fips + PLUGIN_PACKAGES = mattermost-plugin-playbooks-v2.8.0%2Bc4449ac-fips PLUGIN_PACKAGES += mattermost-plugin-agents-v1.7.2%2B866e2dd-fips PLUGIN_PACKAGES += mattermost-plugin-boards-v9.2.2%2B4282c63-fips endif
Vulnerability mechanics
Root cause
"Missing authorization check when updating a playbook's team_id allows users with only Manage Playbook Configurations permission to move a playbook to a different team, bypassing manage members restriction."
Attack vector
An authenticated attacker with the Manage Playbook Configurations permission can send a PUT request to the playbook API endpoint, supplying a different team_id in the request body. The server fails to verify whether the user has permission to change the team association, so the playbook is silently moved to another team. This bypasses the manage members restriction that would normally prevent the attacker from controlling which team owns the playbook. The attack requires low privileges and network access, but the CVSS score is low because the impact is limited to integrity of the playbook's team assignment.
Affected code
The vulnerability exists in the Playbooks plugin API endpoint that handles PUT requests for updating playbooks. The advisory does not specify the exact file or function, but the patch updates the plugin from v2.7.0 to v2.8.0 in the server/Makefile [patch_id=918528]. The defect is in the server-side logic that processes the team_id field during playbook updates.
What the fix does
The patch updates the Playbooks plugin from v2.7.0 to v2.8.0 [patch_id=918528]. While the Makefile diff only shows the version bump, the advisory indicates that the underlying fix adds a check to verify that the user has permission to change a playbook's team when the team_id field is modified in a PUT request. By validating the team change against the user's permissions, the server now prevents users with only Manage Playbook Configurations from moving a playbook to a different team, closing the authorization bypass [CWE-863].
Preconditions
- authAttacker must have a valid Mattermost account with the Manage Playbook Configurations permission on the source team.
- inputThe playbook must exist and be accessible to the attacker via the API.
- networkNetwork access to the Mattermost server API endpoint for updating playbooks (PUT).
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- mattermost.com/security-updatesnvdVendor Advisory
News mentions
0No linked articles in our index yet.